From 701d2282a8de677ed2b6c5df6cb468650564f73c Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Thu, 20 May 2021 11:00:24 +0200 Subject: [PATCH] rework security header --- defaults/main.yml | 6 ++++- templates/etc/nginx/conf.d/header.conf.j2 | 18 +++++++------- templates/etc/nginx/sites-available/vhost.j2 | 26 +++++++++++++++++--- 3 files changed, 37 insertions(+), 13 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 6641d53..e2e2072 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -90,6 +90,7 @@ nginx_csp_enabled: False nginx_xxxsp_enabled: True nginx_xxxsp_parameters: + - 1 - mode=block nginx_maps: [] @@ -162,13 +163,16 @@ nginx_vhosts_default: # - match: / # root: /var/www/vhosts/default # index: index.html +# add_headers: [] # proxy_pass: # proxy_http_version: "1.1" # proxy_buffering: "off" # proxy_connect_timeout: 3600s # proxy_read_timeout: 3600s # proxy_send_timeout: 3600s -# proxy_headers: [] +# proxy_set_headers: [] +# proxy_hide_headers: [] +# proxy_ignore_headers: [] # proxy_intercept_errors: "off" # custom_options: # custom_options: diff --git a/templates/etc/nginx/conf.d/header.conf.j2 b/templates/etc/nginx/conf.d/header.conf.j2 index f280949..6560a84 100644 --- a/templates/etc/nginx/conf.d/header.conf.j2 +++ b/templates/etc/nginx/conf.d/header.conf.j2 @@ -2,28 +2,28 @@ {{ ansible_managed | comment }} # protect against protocol downgrading and cookie hijacking -# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#hsts +# https://owasp.org/www-project-secure-headers/#http-strict-transport-security {% if nginx_tls_hsts_enabled and nginx_hsts_options is defined%} -add_header Strict-Transport-Security "{{ nginx_hsts_options | join('; ') }}"; +add_header Strict-Transport-Security "{{ nginx_hsts_options | join('; ') }}" always; {% endif %} # improve the protection against Clickjacking -# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xfo +# https://owasp.org/www-project-secure-headers/#x-frame-options {% if nginx_xfo_enabled %} -add_header X-Frame-Options {{ nginx_xfo_policy }}; +add_header X-Frame-Options {{ nginx_xfo_policy }} always; {% endif %} {% if nginx_csp_enabled and nginx_csp_options is defined %} -add_header Content-Security-Policy "{% for item in nginx_csp_options %}{{ item.directive }} {{ item.parameters | join(' ') }};{% endfor %}"; +add_header Content-Security-Policy "{% for item in nginx_csp_options %}{{ item.directive }} {{ item.parameters | join(' ') }};{% endfor %}" always; {% endif %} # prevent from interpreting files as something else than declared by the content type in HTTP headers -# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xcto +# https://owasp.org/www-project-secure-headers/#x-content-type-options {% if nginx_xcto_enabled %} -add_header X-Content-Type-Options nosniff; +add_header X-Content-Type-Options nosniff always; {% endif %} # enables the cross-site scripting (XSS) filter of the browsers -# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xxxsp +# https://owasp.org/www-project-secure-headers/#x-xss-protection {% if nginx_xxxsp_enabled %} -add_header X-XSS-Protection "1; {{ nginx_xxxsp_parameters | default([])|join(' ; ') }}"; +add_header X-XSS-Protection "{{ nginx_xxxsp_parameters | default([]) |join(' ; ') }}" always; {% endif %} diff --git a/templates/etc/nginx/sites-available/vhost.j2 b/templates/etc/nginx/sites-available/vhost.j2 index 9e3c8c1..f2547b2 100644 --- a/templates/etc/nginx/sites-available/vhost.j2 +++ b/templates/etc/nginx/sites-available/vhost.j2 @@ -52,6 +52,14 @@ server { {% if location.index is defined and location.index %} index {{ location.index }}; + {% endif %} + {% if location.add_headers is defined and location.add_headers %} + + include /etc/nginx/conf.d/header.conf; + {% for add in location.add_headers %} + add_header {{ add }}; + {% endfor %} + {% endif %} {% if location.proxy_pass is defined and location.proxy_pass %} proxy_pass {{ location.proxy_pass }}; @@ -73,10 +81,22 @@ server { {% if location.proxy_intercept_errors is defined and location.proxy_intercept_errors %} proxy_intercept_errors {{ location.proxy_intercept_errors }}; {% endif %} - {% if location.proxy_headers is defined and location.proxy_headers %} + {% if location.proxy_set_headers is defined and location.proxy_set_headers %} - {% for pheader in location.proxy_headers %} - proxy_set_header {{ pheader }}; + {% for set in location.proxy_set_headers %} + proxy_set_header {{ set }}; + {% endfor %} + {% endif %} + {% if location.proxy_hide_headers is defined and location.proxy_hide_headers %} + + {% for hide in location.proxy_hide_headers %} + proxy_hide_header {{ hide }}; + {% endfor %} + {% endif %} + {% if location.proxy_ignore_headers is defined and location.proxy_ignore_headers %} + + {% for ignore in location.proxy_ignore_headers %} + proxy_ignore_header {{ ignore }}; {% endfor %} {% endif %} {% endif %}